[Bro-Dev] [Bro-Commits] [git/bro] topic/bernhard/file-analysis-x509: Second try on the event interface. (7ba6bcf)

Bernhard Amann bernhard at ICSI.Berkeley.EDU
Fri Feb 28 08:01:17 PST 2014

On Feb 28, 2014, at 6:37 AM, Seth Hall <seth at icir.org> wrote:

> On Feb 28, 2014, at 6:04 AM, Bernhard Amann <bernhard at ICSI.Berkeley.EDU> wrote:
>> -event x509_extension(f: fa_file, ext: X509::Extension)
>> +event x509_extension(f: fa_file, cert: X509::Certificate, ext: X509::Extension)
> Would it make more sense to leave the cert out?  Seems like state we should collect in script land instead of passing it through from the core each time.

The “cert” only is a record in the events. So - the only thing that is passed around is a ref-counted
pointer. The actual certificate string is not passed to script land anymore (when I am finished you
will be able to get it if you really want to, but it will not be exposed by default).

An opaque type is passed around - this makes certificate verification possible without having to re-parse
them with OpenSSL.

I thought that that is ok. Or are you meaning something else?


More information about the bro-dev mailing list